Cellular networks are increasingly used by Machine-to-Machine (M2M) devices, for example as part of the so-called “Internet of Things” (IoT). Many such devices are battery operated and are therefore subject to significant power limitations, for example needing to last with a 5 kWh battery for about ten years. In some applications, communications security for such M2M or IoT devices, in particular so that user-plane data is communicated in a trusted manner, is a significant concern. This security can be in the form of confidentiality protection and/or data integrity protection. For some M2M or IoT users, interception or imitation (so-called “spoofing”) of user data could endanger their business, their reputation or their own safety.
When cellular M2M or IoT operate in a Home Public Land Mobile Network (PLMN), the network operator can guarantee a particular security level within their PLMN domain. In many cases though, these devices will not operate in their Home PLMN. The Home PLMN cannot ensure user data security, when the device operates in a visited PLMN. When security is an issue, users with devices operating in a visited PLMN may therefore rely on additional application layer or transport layer security mechanisms, such as Transport Layer Security (TLS) or Generic Bootstrapping Architecture (GBA).
A recent study for the Third Generation Partnership Project (3GPP) Technical Specification Group (TSG) SA (Service and System Aspects) WG3 (S3-151121) compared the UMTS Authentication and Key Agreement (AKA) procedure with TLS and GBA. This study found that TLS and GBA are significantly less efficient than the AKA procedure, especially if the cellular network only provides a very low throughput connection (such as 160 bits per second) to the M2M or IoT device. When power consumption is considered, the significant number of communication exchanges and length of time needed to perform TLS or GBA could make them unsuitable for low power, low throughput devices. In particular, TLS has a large number of different security configurations, making it difficult to optimise.
These procedures therefore consume a non-negligible quantity of resources (in terms of time and/or energy). The configuration selected by M2M or IoT service providers to protect the user-plane data could considerably affect the performance of the cellular IoT network and the devices could run out of battery earlier than expected. AKA, which is required for GPRS/UMTS or Evolved Packet System (EPS), appears much more efficient by comparison. Finding a procedure that can co-operate with AKA, but which does not add significant disadvantages associated with other existing security protocols, is therefore a challenge.